The smart grid and the need for privacy protection, now rather than later

It’s nice to see Ontario’s information and privacy commissioner, Ann Cavoukian, being so proactive on the issue of privacy as it relates to deployment of the smart grid. (Disclosure: Cavoukian is a good friend of mine and co-author of a book we wrote on privacy issues back in 2002).

Cavoukian’s latest annual report highlights the privacy risks involved with the rising use of smart meters and the increased collection of granular data about when and where people are using electricity. “In a future smart grid scenario that does not build in privacy, intimate details of hydro customers’ lives could be easily discerned by data automatically fed by appliances and other devices to the companies providing electric power (eg. what time you cook, shower, or go to bed — and the security issues such as whether the house has an alarm system),” Cavoukian writes in her report. “Once inferences can be drawn on granular energy consumption information flowing outside of the home, such as real-time energy use data, future consumers may have questions including: Who will have access to this sensitive data? For what purposes? What are the obligations of companies making smart appliances and smart grid systems to protect my privacy?”

Cavoukian has a new program called Privacy By Design, which places focus on the need to build privacy into new technologies and systems from the outset, rather than scrambling to make privacy/security fixes after there has been a major — and often embarrassing — information breach. The whole point of this is to learn from past mistakes during the early days of Internet, Web and e-commerce development, when companies rushed ahead to come out with services without considering the privacy implications. This got many companies, including big names like Intel and DoubleClick but also high-profile retailers, into a lot of hot water. The rise in identify theft only brought increased attention to the problem. Whether it was disgruntled employees looking to take advantage of this information from the inside, or clever hackers looking to steal information for a profit or for bragging rights, having so much detailed information about individuals in one place is — in Cavoukian’s words — a “treasure trove” that needs to be protected like Fort Knox. You can bet there are already hackers out there looking to make a name for themselves by being the first to access consumer information through smart grid infrastructure, even during these early days.

That’s why it’s crucial that utilities and their partners think of information privacy and security now, rather than as a Band-aid measure later. Not only is this a good strategy to avoid future legal challenges, it will also save them a lot of hassle and embarassment in the long run if they treat privacy/security seriously from Day 1. For that reason, I think Cavoukian’s Privacy By Design message needs to spread across the industry as we embark on what’s expected to be a massive, multibillion dollar smart grid buildout.

2 thoughts on “The smart grid and the need for privacy protection, now rather than later”

I agree security is important. We don’t want people hacking smart grid technology, etc. But I often think a lot of good could come from making utility data publicly available. Energy auditors/ retrofitters could market to homes with the biggest power/energy use per sqft and there’d be more impetus for people to make their homes more efficient if there neighbours could see how big their energy footprint was. Some loss of privacy, yes, but at a large benefit for the environment, the city (air quality, etc) and even the homeowners (reduced utility bills)… As a homeowner, if I were on a smart grid I would actually appreciate being able to compare more granular data with other houses – for example, it could guide me to make energy efficiency improvements without needing to get an audit just by comparing how much more energy my A/C gobbles than all of my neighbours. Just a thought…

There is a security risk in releasing live energy usage data or detailed usage data where occupancy patterns can be made out. This would help would-be thieves to plan when to strike.

However, are there any privacy issues with releasing how much energy a house uses on a given year. Having this information embedded into a neighbourhood map that shows all houses has been shown to lead to conservation as people don’t want to be outdone by their neighbours. It would also be a useful tool to identify grow-ops, and possibly for energy efficiency service agencies to target key energy consumption groups. Is there a limit to what information should be locked up in fort-knox?